Chapter 6
IP Security
1
Outline
• Internetworking and Internet Protocols
(Appendix 6A)
• IP Security Overview
• IP Security Architecture
• Authentication Header
• Encapsulating Security Payload
• Combinations of Security Associations
• Key Management
2
TCP/IP Example
3
IPv4 Header
4
IPv6 Header
5
IP Security Overview
IPSec is not a single protocol.
Instead, IPSec provides a set of
security algorithms plus a general
framework that allows a pair of
communicating entities to use
whichever algorithms provide security
appropriate for the communication.
6
IP Security Overview
• Applications of IPSec
– Secure branch office connectivity over
the Internet
– Secure remote access over the Internet
– Establsihing extranet and intranet
connectivity with partners
– Enhancing electronic commerce security
7
IP Security Scenario
8
IP Security Overview
• Benefits of IPSec
– Transparent to applications (below transport
layer (TCP, UDP)
– Provide security for individual users
• IPSec can assure that:
– A router or neighbor advertisement comes from
an authorized router
– A redirect message comes from the router to
which the initial packet was sent
– A routing update is not forged
9
IP Security Architecture
• IPSec documents:
– RFC 2401: An overview of security
architecture
– RFC 2402: Description of a packet
encryption extension to IPv4 and IPv6
– RFC 2406: Description of a packet
emcryption extension to IPv4 and IPv6
– RFC 2408: Specification of key
managament capabilities
10
IPSec Document Overview
11
IPSec Services
•
•
•
•
•
•
Access Control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
Confidentiality (encryption)
Limited traffic flow confidentiallity
12
Security Associations (SA)
• A one way relationsship between a
sender and a receiver.
• Identified by three parameters:
– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier
13
Transport Mode Tunnel Mode
SA
SA
AH
Authenticates IP payload
and selected portions of
IP header and IPv6
extension headers
ESP
Encrypts IP payload and Encrypts inner IP
any IPv6 extesion header packet
ESP with
authentication
Encrypts IP payload and Encrypts inner IP
any IPv6 extesion
packet. Authenticates
header. Authenticates IP inner IP packet.
payload but no IP header
Authenticates entire
inner IP packet plus
selected portions of
outer IP header
14
Before applying AH
15
Transport Mode (AH
Authentication)
16
Tunnel Mode (AH
Authentication)
17
Authentication Header
• Provides support for data integrity and
authentication (MAC code) of IP packets.
• Guards against replay attacks.
18
End-to-end versus End-toIntermediate Authentication
19
Encapsulating Security Payload
• ESP provides confidentiality services
20
Encryption and
Authentication Algorithms
• Encryption:
–
–
–
–
–
–
Three-key triple DES
RC5
IDEA
Three-key triple IDEA
CAST
Blowfish
• Authentication:
– HMAC-MD5-96
– HMAC-SHA-1-96
21
ESP Encryption and
Authentication
22
ESP Encryption and
Authentication
23
Combinations of Security
Associations
24
Combinations of Security
Associations
25
Combinations of Security
Associations
26
Combinations of Security
Associations
27
Key Management
• Two types:
– Manual
– Automated
• Oakley Key Determination Protocol
• Internet Security Association and Key
Management Protocol (ISAKMP)
28
Oakley
• Three authentication methods:
– Digital signatures
– Public-key encryption
– Symmetric-key encryption
29
ISAKMP
30
Recommended Reading
• Comer, D. Internetworking with
TCP/IP, Volume I: Principles,
Protocols and Architecture. Prentic
Hall, 1995
• Stevens, W. TCP/IP Illustrated,
Volume 1: The Protocols. AddisonWesley, 1994
31